Credit unions and other card issuers are losing a whopping $10.9 billion a year to fraud and criminals appear to be attacking from all angles, a new LexisNexis Risk Solutions study said.

The study of 100 risk and fraud decision-makers and influencers working at U.S. card issuers reported 71% of card fraud now comes from credit cards – three times the fraud from debit cards, which accounted for 25% of the total. Prepaid cards contributed only half a billion in fraud losses, the study said.

"EMV chip technology represents the strongest anti-fraud protection at the POS terminal," LexisNexis Risk Solutions Senior Director of Identity Management Kim Little Sutherland said. "However, as this new model continues to roll out over the next 12 months in the U.S., issuers expect certain fraud types to increase. Notably, with the window closing on easily replicable mag stripe cards, we forecast a shift and bump in identity schemes – characterized by the use of synthetic identities and the misuse of true identities."

New Fraud Fads: Application Fraud and Account Takeovers

EMV can mitigate fraud at the point of sale, but it's less effective for online transactions that only require card data rather than an actual card. Although the study found most issuers in turn expect card-not-present fraud to rise as EMV proliferates, it also warned of a spike in application fraud and account takeovers in the next 12 months as criminals try to get their hands on physical EMV cards. Some criminals are already trying.

"While early adopters of EMV are less concerned, their experiences certainly prove the late adopters' fear is well-founded," the study reported. "Twenty-two percent of the losses experienced by issuers in the top 50% by EMV capability could be traced to application fraud, compared with 17% of the losses among issuers in the bottom 50%."

Most issuers (75%) are also concerned that as mobile wallet adoption increases, account takeover will become more attractive to criminals. That puts issuers in a tight spot, the study said.

"While more than half of issuers believe that they currently have account takeover under control, 56% believe that they cannot reduce it any further without adding too much friction into the customer experience," it noted.

Customer Service Conundrum

To accomplish account takeover, fraudsters are targeting call center customer service representatives to gain account access, the study found. It reported 41% of respondents now consider social engineering of customer service staff either their most difficult or second-most difficult challenge in preventing account takeover.

"CSRs are notorious for 'rooting for' the customer – aiding customers who appear to be struggling at remembering security questions in an effort to maintain a positive customer experience," the study said. "Add the desire to serve the customer with a lack of effective tools to verify the identity of a caller, and fraudsters are free to spin a tale that is convincing enough to justify access to the account."

Similarly, detecting application fraud and account takeovers is hardest for issuers when the fraud comes through an affiliate channel such as a co-brand or private label partner, the study said. Applications might run through old software and hardware systems, issuers have little control over staff training and affiliates may be reluctant to turn down applications from people with full shopping carts. A little more than half of issuers that allow accountholders to access their accounts through affiliates' locations said preventing account takeovers through that channel is very or extremely difficult.

The Search for Solutions Continues

"Using more fraud prevention solutions does not necessarily equate to less application fraud: Issuers with higher-than-average rates of application fraud are generally more likely to use any fraud prevention solution or control," the study reported. "This point suggests that issuers are applying as many tools as possible, but they're having little success because they aren't doing so strategically,"

In one example, 54% of issuers with higher-than-average application fraud used one-time passwords — a method common among consumer services such as Facebook and Gmail access – but only 32% of issuers with lower-than-average application fraud did so.

Nonetheless, 78% of issuers plan to make significant investments in fraud mitigation over the next 12 months, with most planning to invest in additional tools. Dynamic and static knowledge-based authentication are at the top of the to-do list, followed by mobile carrier identity verification and manual reviews, the study said.

Join us at Credit Union Times' Fraud: Don't Let It Happen To Your Credit Union Conference, where you will find the latest tools and techniques for preventing fraud and data breaches; strategies for responding in the immediate aftermath and best practices for restoring reputation, financial stability and information security. This two-day conference is designed for credit union executives, boards of directors and those responsible for your credit union's cybersecurity policy. Register to attend and save $150.

NOT FOR REPRINT

© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.